[16:33] <mdeslaur> \o
[16:33] <jjohansen> \o
[16:33] <tyhicks> hello
[16:33] <tyhicks> #startmeeting
[16:33] <meetingology> Meeting started Mon Jun  1 16:33:48 2015 UTC.  The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
[16:33] <meetingology> Available commands: action commands idea info link nick
[16:34] <chrisccoulson> o/
[16:34] <tyhicks> The meeting agenda can be found at:
[16:34] <tyhicks> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
[16:34] <jdstrand> hi
[16:34] <tyhicks> [TOPIC] Announcements
[16:34] <tyhicks> We had a number of contributions over the last two weeks
[16:34] <tyhicks> Stefan Bader (smb) provided debdiffs for trusty-vivid for xen
[16:34] <tyhicks> Otto Kekäläinen (otto) provided debdiffs for trusty-utopic for mariadb-5.5 (LP: #1451677)
[16:34] <tyhicks> Gianfranco Costamagna (LocutusOfBorg) provided debdiffs for precise-utopic for virtualbox (LP: #1456553)
[16:34] <tyhicks> Andreas Cadhalpun (andreas-cadhalpun) provided a debdiff for vivid for ffmpeg (LP: #1458171)
[16:34] <tyhicks> Felipe Reyes (freyes) provided debdiffs for precise-vivid for openldap (LP: #1446809)
[16:34] <tyhicks> Thanks to you all for your assistance in keeping Ubuntu secure! :)
[16:35] <tyhicks> [TOPIC] Weekly stand-up report
[16:35] <tyhicks> jdstrand: you're up
[16:36] <jdstrand> hopefully today I will finish the big review tools update that will make the store and packages work as well for snappy apps and frameworks as for clicks
[16:36] <jdstrand> that got delayed a bit last week due to store api changes and LP being down (I wanted to pull down everything from the store and compare existing tools with trunk)
[16:36] <jdstrand> that's all resolved, just need to go through the output now
[16:38] <jdstrand> I've been working quite a bit on processes surrounding security support for system-image variants of Ubuntu (eg, touch and core)
[16:38] <jdstrand> that will continue
[16:38] <jdstrand> there is work planning with tyhicks
[16:39] <jdstrand> and I hope to at least start if not finish (for wily) handling seccomp policy upgrades on snappy
[16:39] <jdstrand> which will then need an SRU, at which point I will also do an SRU for ubuntu-core-security. that SRU work is likely next week
[16:39] <jdstrand> I have two embargoed items
[16:41] <jdstrand> that's it from me
[16:41] <mdeslaur> I guess I'm up
[16:41] <mdeslaur> I'm about to publish an ipsec-tools update for precise
[16:41] <mdeslaur> and I have some openssl updates that will be going out today that disable export ciphers
[16:42] <mdeslaur> after that, I'll be working on testing an apache2 update for precise that backports ecc support and better dh handling
[16:42] <mdeslaur> I also have some qt updates to test
[16:42] <mdeslaur> I am also looking into a glibc tzdata regression that is causing mercurial to FTBFS on 32 bit platforms
[16:42] <mdeslaur> that's it from me, sbeattie, you're up
[16:42] <sbeattie> I'm on community this week
[16:43] <sbeattie> I'm working through the backlog of outstanding apparmor patch reviews.
[16:43] <sbeattie> I'm also working on testing for the apparmor trusty SRU
[16:44] <sbeattie> I still have the gcc pie work on my plate.
[16:44] <mdeslaur> mmm....pie
[16:44] <mdeslaur> (that joke never gets old)
[16:44] <sbeattie> and I have an nbd updtae simmering on the back burner.
[16:45]  * sbeattie takes a note to use cooking analogies for all his future status reports)
[16:45] <sbeattie> that's it for me. tyhicks?
[16:45] <tyhicks> sbeattie: is it still possible to land the PIE change for wily?
[16:46] <sbeattie> I think so, yes.
[16:46] <tyhicks> ok
[16:46] <tyhicks> I'm handling bug triage this week
[16:46] <mdeslaur> oh, I have something else I forgot to mention
[16:46] <tyhicks> go for it
[16:47] <mdeslaur> I plan on uploading bash to wily today with the setuid privilege dropping re-enabled, and I plan on looking at taviso's patch for dash to do the same
[16:47] <tyhicks> oh cool
[16:47] <sbeattie> \o/
[16:48] <sarnold> yay :)
[16:48] <tyhicks> I plan on helping out with security updates this week
[16:48] <tyhicks> I will return to working on adding kernel keyring mediation support to AppArmor parser
[16:49] <tyhicks> hopefully wrap up work planning tasks
[16:49] <tyhicks> and I have a few embargoed items
[16:50] <tyhicks> that's it for me
[16:50] <tyhicks> jjohansen: you're up
[16:50] <jjohansen>  I need to finish up dealing with 2.10 patch review and replies, so we can get 2.10 out the door.
[16:51] <jjohansen> Finish up with the kernel security sign-offs
[16:51] <jjohansen> Figure out what we are doing for LSS (if anything)
[16:51] <jjohansen> Sync up on dconf mediation
[16:52] <jjohansen> Continue with the kernel patch cleanup
[16:52] <jjohansen> and I have an embargoed item or two
[16:53] <tyhicks> jjohansen: can you send your fix for bug #1430546 to the kteam this week? (I'm assuming it is just a git send-email away)
[16:54] <jjohansen> tyhicks: yes
[16:54] <tyhicks> thanks
[16:54] <tyhicks> sarnold: you're up
[16:54] <sarnold> I'm on cve triage this week; I'm also going to continue going through open openstack issues and figuring out which ones are still needing attention; I'll also try to handle a few apparmor patch reviews.
[16:54] <sarnold> I think that's it for me
[16:54] <sarnold> chrisccoulson?
[16:55] <chrisccoulson> I'm hoping for chromium updates this week
[16:55] <chrisccoulson> Also, I need to spend some time on Firefox - a recent change upstream has broken the way we handle localized search plugins in our packaging
[16:57] <chrisccoulson> I got an email last week (I think it got sent to everyone with an account on addons.mozilla.org) with details of addon signing in Firefox
[16:57] <chrisccoulson> It had a link to https://wiki.mozilla.org/Addons/Extension_Signing
[16:57] <tyhicks> I was about to ask if you have heard anything about that :)
[16:57] <chrisccoulson> (the tl;dr version - we need to get our addons reviewed and signed)
[16:57] <chrisccoulson> In Firefox 40, unsigned addons will be disabled (but there'll be a pref to override)
[16:58] <chrisccoulson> in Firefox 41, there'll be no override
[16:59] <chrisccoulson> I tried getting ubufox reviewed, but the automatic part of the process compains that we override the startpage (something which is prohibited in addons, but is the whole point of our customizations)
[16:59] <chrisccoulson> So I'm not confident we'll get that through a manual review
[16:59] <chrisccoulson> and then, webapps.....
[16:59] <chrisccoulson> Anyway
[17:00] <chrisccoulson> Other than that, I'll be working on stuff from https://launchpad.net/oxide/+milestone/branch-1.9
[17:00] <chrisccoulson> I think that's me done
[17:01] <tyhicks> chrisccoulson: dbarth's team will handle the webapps reviews?
[17:02] <tyhicks> chrisccoulson: who should handle the "Ubuntu Online Accounts" review?
[17:02] <chrisccoulson> tyhicks, I'm not sure. The experience with that addon is so bad currently, I wonder whether it's worth the effort (but I guess that's up to dbarth's team)
[17:02] <chrisccoulson> tyhicks, that would be dbarth too
[17:02] <tyhicks> ok
[17:03] <tyhicks> chrisccoulson: lets make sure they're aware of the newly released details in tomorrow's oxide meeting
[17:03] <tyhicks> [TOPIC] Highlighted packages
[17:03] <tyhicks> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
[17:03] <tyhicks> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
[17:03] <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/gajim.html
[17:03] <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/nginx.html
[17:03] <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/pyfribidi.html
[17:03] <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/gcc-4.4-armel-cross.html
[17:03] <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/shaarli.html
[17:03] <tyhicks> [TOPIC] Miscellaneous and Questions
[17:04] <tyhicks> Does anyone have any other questions or items to discuss?
[17:06] <tyhicks> jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson: Thanks!
[17:06] <tyhicks> #endmeeting
[17:06] <meetingology> Meeting ended Mon Jun  1 17:06:07 2015 UTC.
[17:06] <meetingology> Minutes:        http://ubottu.com/meetingology/logs/ubuntu-meeting/2015/ubuntu-meeting.2015-06-01-16.33.moin.txt
[17:06] <jjohansen> thanks tyhicks
[17:06] <sarnold> thanks tyhicks!
[17:06] <sbeattie> tyhicks: thanks!
[17:06] <mdeslaur> thanks tyhicks